The Most Common Hiding Places For Workplace Passwords

When I was an IT admin, I had the pleasure of dealing with people who would submit urgent service requests about a problem they were having and then leave for the day, leaving their office empty and computer locked by the time I could get there to help. Fortunately, in many cases, I was able to fix their problem while they weren’t there. Why? Their password was somewhere on their desk in one of these easy-to-find locations.

Under the Keyboard. This is a pretty common one, and one of the first places to look if you need to find someone’s password (or one of the first places to avoid if you need to jot down an often-used but difficult to remember password). The worst offenders leave them on a Post-It on their keyboard tray, or under the spot where their keyboard lives. Others attach the post-it to the underside of the keyboard, thinking it’s better hidden there. In both cases, it’s a sure bet that anything under the keyboard will have a password on it.

Under the Phone. A surprising number of people still keep their passwords tacked to the underside of their desk phone or its receiver. The people who usually put their passwords here think they’re being smart and stealthy, but in reality taping a yellow Post-It note to the underside of your phone just screams “passwords here!”

Under the Mouse Pad. This is another common hiding place for people who don’t want to put their passwords under their keyboard. They’ll usually slide a couple of sheets of paper under the mousepad with their usernames and passwords on it and refer to them when they forget, or update them when their password expires.

On the Monitor. This one isn’t so much a “hiding place”, as it’s one of those “security through obscurity” techniques that almost never work. Most often practiced by people who keep dozens of other Post-Its on their monitor, this technique is still easy to get around as soon as you have physical access to the person’s computer. Besides, it’s not too hard to glance through the post-its on the monitor and find the one that has “u: something/p: something else” on it.

In the Top Drawer. Most people who work in open offices with short cubicles tend to lock their desk drawers, but colleagues I’ve worked with who had their own offices or had semi-isolated cubicles were almost always guilty of leaving their desk drawers unlocked. When I would visit their offices, the master list of their usernames and passwords were almost always in the top drawer, on a scrap of paper or the top of a thick stack of post-it notes, usually in plain view.

Under the Desk. One of the most disturbingly common spots many officer workers hide their passwords is one of the easiest to find: right under their desk surface. Just sit down at their desk and put your hand directly under the desktop, and you’ll often find yet another Post-It note attached there. Most people who do this operate under the assumption that no one’s ever under their desk to see or notice such a thing — except the IT admin or help desk tech they call when they’ve jostled the Ethernet cable loose from the back of their desktop.

This list isn’t exhaustive: anyone who’s spent time as a field technician or IT admin in an office will tell you that people often leave their passwords in strange places that are easier to find then the user ever hoped they would be.

In many offices, the most common hiding spots for Post-It notes and paper scraps laden with login information depend on the office furniture and office layout. For example, if your cubicles have low cabinets right over most users’ monitors, you can expect to find a few people keeping their passwords on the inside of those cabinets. I knew one person who put Post-It notes on the bottom of their chair — she was livid when she arrived one morning to find a colleague had borrowed her chair for an impromptu meeting in her office next door.

If you keep your passwords in any of these places, stop now before it’s too late. You may be making your IT admin’s life a little easier when he or she drops by to fix your computer problems, but they know full well you’re sacrificing your organisation’s security in the process. Now is a good time to give a service like LastPass, an app like 1Password or one of these great alternatives a try, so you can remember one password and then mix up the passwords you use for other services. While you’re at it, make sure you’re using good, strong passwords. And don’t put in urgent service requests and then leave for the day: submit them when you know you’ll be around to help your technician troubleshoot the problem, or don’t claim it’s urgent.

Do you know an office worker that keeps their passwords on Post-Its or in notebooks on their desk? How do you keep your passwords safe from prying eyes without compromising their security? Share your tips in the comments.

Tags

Discuss

A computer at work (I work at a gym) has a laminated card on the monitor with the Bios password, windows log in username and password, our internal software log in and password and our gym software admin log in and password..

I work in an office where the passwords need to be changed every month. How does someone remember a constantly changing password, that is easy to remember, but hard for people to guess.

Unless they come up with a pattern (like keep the same password and increment the number at the end), but that completely undermines the whole security thing, because once someone finds your pattern out it only takes guessing one more number to crack it.

Do IT admin ever do any analysis on how many times they need to reset people's passwords vs how many times people give their passwords away knowingly for someone else to use.

It's a tricky problem. Regularly resetting passwords is essentially just to limit the potential damage when an account is compromised by reducing the time it can be exploited in.

When I got to my current office there was forced monthly password changing and moderate password complexity. Almost everybody not only used a system for passwords, they used the exact same system - a combination of month and year (say, October2011). With a monthly password reset, it worked out great for them.

Now we have a 3-month reset and I've done my best to educate staff about better password choosing. On paper we're less secure, but in reality we're a lot safer.

At my current workplace, all non-managerial staff have the same password. I'll let that sink in before I mention that we have outlook web access for all users and usernames are given names. Seriously. Luckily only a few users are savvy enough to realise the implications of this. However, who among them is evil enough to take advantage of it...

Slightly off subject, but the one that always gets me is the "Your password will expire in 14 days. Do you want to change it now?" prompt from Windows. This prompt continues every time you log in. Why do we need it? I'll change it in 14 days thanks very much Mr Computer, STOP ASKING ME!!!

@churchado it is a reminder that if your password is not changed it will expire. Then people who thought was easier to ignore the prompt then to action it call me on the weekend and after hours to reset their passwords when they want webmail or because their iphone stops syncing mail.

Do you also have a problem with needing to have password that is 8 characters long, has a capital letter and a number?

Not to sound suspicious or anything there are programs that help with that i wont name them but they are legal to use especially when you take a computer back to your office to work on and the person is on holiday and you can't get a hold of them. Then there's the office's that just have password password

If someone wants me to fix their computer, doesn't give me the password for it and goes away on a holiday, then their computer is not getting fixed until they return and cough up the password.
There's a name for people like that: Timewasters.

By the way.. Hirens Boot Disk 10.5, has a tool called Active Password Changer, this utility can remove passwords off any computer on the market, any OS, any level of security excluding 128bit encrypted systems. Passwords are meaningless to someone who knows this.

I don't think they should be written down at all. If you need to keep them stored somewhere, use a centralised protected program like PasswordSafe or something similar. Not perfect, but it beats random post-it notes!

I had a mate who worked for a major bank dealing with some very sensitive systems. Their passwords were so complex and required changing so often that everyone this side of rainman just wrote it down and left it on their desk. 12 characters including numbers, symbols and upper and lower case, no more than 2 of the same char, no words. Something like that.